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Abstract . We present probabilistic algorithms for the problems 
of finding an irreducible polynomial of degree n over a finite 
field, finding roots of a polynomial, and factoring a polynomial 
into its irreducible factors over a finite field. All of these 
problems are of importance in algebraic coding theory, algebraic 
symbol manipulation, and number theory. These algorithms have a 
very transparent, easy to program structure. For finite fields of 
large characteristic p, so that exhaustive search throng z- is not 
feasible, our algoritfuns are of lower order in the degrees of the 
polynomial and fields in question, than previously published algorithms, 



Research on probabilistic algorithms in finite fields was work 
conducted during 1976 while at MIT. 
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PROBABILISTIC ALGORITHMS IN FINITE FIELDS 



Michael 0. Rabin 



In this paper we utilize the method of probabilistic 
algorithms to solve some important computational problems 
pertaining to finite fields. The questions we deal with 
are the following. Given a prime p euid an integer n, how 
do we actually perform the arithmetical operations of 
E = GF(p") , Given a polynomial f (x) of degree m with coef- 
ficients in E, we wish to find a root o e E of f (x)= 0, if 
such a root does exist. This is the root-finding problem. 
Finally, given a polynomial f (x) e E[xl , we W6uit to find the 
factorization f = f ^^-fj* . .. 'fj^ of f into its irreducible 
factors fj^(x) e E[x]. This is the factorization problem. 

All of the above problems are of great significance 
in algebraic coding theory, see [2 1 ^ in algebraic symbol 
manipulation, and in computational nvunber theory. 
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Algorlthms for the latter two problems are given In Berle- 
karap's [2 ] and more completely in the in^iortemt paper [3 ] 
v^ich culminates his own work on the subject and also 
incorporates important ideas of Collins, Knuth, Welch, 
Zassenhaus, and others. 

Berlekfluap solves the root-finding problem for 
f e6F(p'^), deg(f) » m, by reducing it to the factorization 
problem of another polynomial P(x) e Z_[xl (Z ■ 6F(p), 
is the field of residues mod p) , where deg(F) « mn. The 
problem of factoring F(x) e Z [x] is solved by reducing it to 
finding the roots in Z of another polynomial 6(x) e Z [x] . 

Ir P 

Thus everything is reduced to root-finding in Z • For 
root-finding in a large Z , a case in «^ich search is not 
feasible, Berlekan^ proposes a probabilistic algorithm in- 
volving a random choice of d e Z . The article [ 3 ] does 
not contain a proof for the validity of this algorithm. 
Our starting point is to solve directly the problem 
of root-finding in GFCp'^) « E for polyncmials f e E[x], 
by a probabilistic algorithm which generalizes to arbitrary 
finite fields Berlekamp's algorithm for Z . ^e validity 
of the algorithm is based on llieorem 4 vrtiich has a 
suirprisingly simple proof. 
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We now base factorization of a polynomial f (x) e Z [x] 
on root-finding for the same f. Namely, if f (x) has ir- 
reducible factors of degree m,h. (x) e Z [x] , ^^^^t then 
the product 0(x) « nhj^(x) of these factors can be readily 
found by computations in Z [x] . The roots of D(x) are 
in GFCp"") and the above root-finding algorithm allows us 
to directly find such a root a e GF(p^) . The minimal 
polynoaial h(x) e Z [x] of a, \^ich is of degzree m, can be found 
by one of two methods given in Section 3. Now, a is also 
a root of some h^Cx) of degree ra, so that h(x) <■ hj^(x) , 
and we have found one irreducible factor of f(x)* An 
iteratiem of this process finds all the irir«(lu(cibl« factors. 
The same algorithm works for factorization of polynomials 
f(x) e E[x] , v^ere E is any finite field, by use of roots 
of the polynomial f (x) itself. 

In terms of the number of Z -operations (additions 
and multiplications mod p, of numbers 0<a, b<p) used, our 
algorithms are of conplexity proportional to log p. Thus 
they are feasible even for fields GFCp*^) where p is so 
large that exhaustive search through Z is not possible. 

Leaving out the factor log p and factors of order 
logn'log logn, the algorithms presented here have the 
following coasplexities . A root of f(x) e GP(p"), deg f - m, 
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can be found in 0(n m) Z -operations. A polynomial 

3 
f(x) e Zptx] # deg(f) - n, can be factored in 0(n ) ope- 
rations. 

If the arithmetical operations of the field E - GP(p") 
are wired into circuitry so that an E-operation can be 
viewed as a \mitr then the above root-finding algorithm 
uses 0(nm) operation. Under the same assumption for the 
fields GF(p^), i<n, the factorisation of f(x) uses O(n^) 
operations. 

The root-finding and factorisation algorithms for 
the case of large p, given in [ 3 1 are of higher order in 
n. Root-finding for f(x) e GP(p") , deg(f) - n, uses 
0((n«m)^»m) Z -operations. Factorisation of f e Z-tx] , 
deg(f) « n, uses 0(n ) Z -operations. 

If p is small so that it is practicable to find a 
solution in Z of f (x) -0 by search, then a more careful 
comparison between the algorithms given here and the non- 
probabilistic algorithms presented in [3 ] is necessary. 
The latter algorithm for factorization will rtin in time 
O(n^) but there is an 0(p) factor. Our algorithm will 
r\m in 0(n'') (in the non-preprocessed case) with a factor 
of O(logp) . Thus for very small p, exact comparisons will 
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depend on the numerical constants Involved. Howevex:, 
the algorithms given here are sufficiently fast in all 
cases to justify their use even for small values of p . 

The probabilistic nature of our algorithms does not 
detract from their practical applicability. The basic 
probabilistic step is a random choice of an element 5 e E 
which is then used in an atten^t to split a polynomial 
f(x) into two factors. Wte prove that for any fixed finite 
field E and any fixed f (x) , the probability of success 
by such a random choice is at least half. Thus the ex- 
pected number of such steps leading to success is at most 
two. Puvthevmore, in an algorithm involving many such 
steps, the probability of a run of bad random choices 
leading to a significant deviation from the expected total 
number of steps is very small. 
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1. ARITHMETIC OP GP(p") 



Let p be a prime, n an integer and q » p". As 
customary, denote by GF(q) » E the unique finite field of 
q elements. In particular 6F(p) » Z is the field of 
residues mod p. We want to actually compute with elements 
of E. For Z = ^{0,1,. .. ,p-l}, + ,*^, the operations are 
simply addition and multiplication mod p. If 



(1) g(x) - x" + a^^^x^'K . . ,-i-8LQ e Zptx] , 

is an irreducible polynomial of degree n , then 

GP(p") ;j; Zp[xl/(g(x)) 

v^ere (g) is the ideal generated by g. Given such a 
g(x) , E cem be represented as the set of n-tuples of ele- 
ments of Z . Let 8 " (b i,..,,bQ), Y = t'^n-l' ' * *'°0^ * 
Addition is component-wise. To multiply, form 
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d(x) « (bjj_ix'^"-'-+. ..+bQ) (Cj^^^x"''-^+...+Cq) 

and find the residue 6 (x) = d^_j^x""^+. . .+dQ of d(x) when 
divided by g(x). T3ien 0«y » (d^.i* •• • ^dg) . 

Thus vre need a method for finding an irreducible poly- 
nomial (1). To test for irreducibility we use the following. 
LEMMA 1. Let &^f...yl'j^ be all the prime divisors of n and 
denote n/Aj^ = mj^. A polynomial g(x) e Z [xl of degree n 
is irreducible in Z [x] if emd only if 

(2) g(x)|(xP -X), 

m. 

(3) (g(x), xP -X) - 1, l<i<k, 

where (a,b) denotes the greatest common divisor of a and b. 

Proof . Assume that g(x) is irreducible, then every root 

n 
a of g(x) » lies in E = GP(p ) . Hence a*^ - o ■ 0, and 

n 
(x-a) I (x^ -x) . Since g(x) has no multiple roots, (2) follows 

Since g(x} is irreducible of degree n, it has no 
roots in any field GF(p'^) , m<n. This directly implies (3) . 

Assume conversely that (2) and (3) hold. From (2) it 
follows that all roots of g(x) =0 are in E = GPCp'^) . 
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Asstime that g has an irreducible factor g, (x) of degree 

m<n. The roots of g^ (x) lie in GF(p ) which is generated 

over Z by any one of these roots . Hence GF (p ) C E and 

in|n. Consequently m|m. for one of the maximal divisors 

ra. 
m. of n, emd all roots of g^^ (x) lie in GF(p ^) . But then 
m. 

(g(x), x^ -x) is divisible by g-, (x) contradicting (3). 
Thus g(x) must be irreducible. 

In computing the n\imber of operations required to test 
a given polynomial for primality we count, here and else- 
where in this article, in terms of arithmetical operations 
of Z . To obtain a bit-operations count, we should multiply 
our results by B(p) - the number of bit operations required 
to multiply or divide two numbers of log p bits. As is 
well known, B(p) can be taken to be O(loqp log lop p) . 

In order to shorten subsequent formulas we introduce 
the following 

Notation ; L(n) = log n»log log n 

n 
The computation of (g(x),x^ -x) is executed by computing 

_n o"" 

x^ modulo g(x) . As is well known, x*^ can be calculated by 
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at most 2* log p" multiplications mod g(x) . Since we compute 

mod g(x) we never deal with polynranials of degree greater than 

2n. 

It is shown in [ 4 ] that multiplying two n~degree 

polyncxnials with coefficients in any finite field csm be 

done by (n log n log log n) <■ (n L(n)) field operations. 

Consequently division and finding remainder can be done in 

0(nL(n)) operations, see [ 1 ,p.288] . Thus the basic step 

of computing r(x)*8(x) mod g(x), where dcig(r), deg(s)<n-l, 

_n ~ 
uses 0(nL(n)) operations. The computation of x^ uses 

2 

(n L (n) log p) operations . 

To test (3) we need k<^log n c(Mnputations of the above 

2 

type so that the total number of operations is (n lognL(n)log p) 

The search for em irreducible polynonial of degree n is 
based on the following result which is a weaker form, suf- 
fucient for our purposes, of Theorem 3.3.6 [ 2 ] . We give a 
proof not utilizing generating functions. 

LEMMA 2. Denote by m(n) the number of different monic 
polynomials in Z [x] degree n which are irreducible. Then 



(4) 



n n/2 , n 



n '"' - n 



■-.:> ~,'^;'^^i^ijy~^%-'r 
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(5) 1 m(n)_^ 1 
P 

Note that p" is the number of all monic polynomials of 
degree n. 

Proof . Let g^(x) , ,, .,g^{x} , A = m(n) , be all the pair- 
wise different irreducible monic polynomials of degree n. 
Any element o e E = GPCp'^) which is of degree n over Z 
satisfies exactly one equation g^ (x) " and each such 
equation has exactly n such roots. If H c E is the set 
of elements of degree n over Z , then c(H)/n » m(n) , 

An dleiMint a e E is in H if it is not in any proper 

m. 
meucimal subfield GF(p ^) CT E, where m. is a maximal divisor 

of n (see the notation in Leimna 1) . The cardinality of such 
a siibfield is at most p^^ and the number of these maximal 
subfields is smaller than log n. ^us p'* - p"' log n £ c(H) 
from which (4) and (5) follow. 

In [ 2 ] Berlekamp remarks that Theorem 3.36 means that 
a randomly chosen polynomial of degree n will be irreducible 
with probzQjility nearly 1/n, without suggesting to base an 
algorithm on this fact. In the general spirit of the present 
paper, we solve the problem of finding an irreducible poly- 
nomial by randomization. 
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The algorithm for finding an irreducible polynomial 
proceeds as follows. Choose a polynomial (1) randomly and 
test for irreducibility; continue until an irreducible 
polynomial of degree n is fo\md. Lemna 2 ensures that 
the expected number of polynomials to be tried before an 
irreducible one is found is n. Thus the expected number of 
operations (in Z ) for finding an irreducible polynomial 
of degree n is (n lognL (n) • log p) . 

THie root-finding algorithm for GP(q) assumes that the 
arithmetic of this field is given , so that the question of 
finding an irreducible polynomial actually does not arise. 

In the factorization of a polynomial of degree n we may 

"i 
need computations in fields GP(p ) , ^±i-i.^f such that 

S n^^ <^ n. The count of all operations, including the pre- 

computation of the g„ (x) , will use the following. 

"i 
LEMMA 3. Let n. , l^i^^* satisfy T, n^ <_n. The expected 

number of operations used for finding irreducible poly- 

3 
nomials h^ (x) , deg (h^) = n^^, ^1^1*' ^^ ^^^ lognL(n) log p) 

Proof . 



3 2 

Z n. logn.L(n^) log p <^ n log nL(n)logp£ nj < 

3 
< n lognL(n) log p. 
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2. ROOTwPINDING IN GP(p") 



Let E » GP(q) be a fixed finite field, and f(x) e E[xl 
be a polynomial of degree m. We wish to find one (or all) 
of the roots a e E of f (x) « . We give a probabilistic 
algorithm for this problem, which is a generalization of 
the algorithm given in Berlekamp [ 3 ] for prime fields Z , 
to arbitral^ finite fields E. Our proof for the validity 
of the general algorithm of course applies also to the 
special case of Z , which is given essentially without 
proof in [ 3 ] . 

Assume for the time being that q = p" is odd. We 
shall indicate later how to treat the importamt case q = 2^^, 

Form the g.c.d. 

f^(x) - (f{x), x'^'^-l). 
If f-|^(x) » 1 then f (x) has no roots in E. In general 



fj^(x) = (x-O]^) . . . (x-Oj^) , k<m, 



where the a^ are all the pairwise different roots in E of 
f(x) • 0. 
Now 



.■^.^-' ^ i^' 
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(6) x^"^-l - (x^-1) (x^+1) , d - 3^ . 



The next natural step is to try (fj^(x), x -1) . If some 

of the o^ satisfy o?-l = while others satisfy a^+l = 0, 

then this g.c.d. will be a true divisor of fj^(x), and we 
will have further advanced towards the goal of finding a 
linear factor x-a , i.e. a root , of f (x) . In general we are 
not guaranteed that the g.c.d will be different from 1 or 
f,(x). However, this advantageous situation can be created 
by remdomization. 

call (,,0 e E, a ^ 0, B ,< 0, of different tjf^ if 

a^ ^ e<^, where d - 2^. 

THEOREM 4. Let aj^^Oj e E, a^^ ?* a2« 



(7) 3ri » c({6| 6eE, a-^+6 and a2+6 are of different type }) 

Proof. The elements (Xj+6 and 02+6 are of different 
type if and only if neither is zero and 
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The equation x » -1 has exactly d » 3ji, solutions in E. 
Consider the 1-1 mapping (|)(6) = \^. . As 6 ranges over 



E 



-1 



-{ "02^' <^^^^ ranges over E - {1}. Thus for exactly 3^ 
values of 5, <)>{5) = -1. This implies (7) . 
COROLLARY 5. Consider for 6 e E the g.c.d f . (x) - (f]^(x), 
(x+6)^-l). We have 



(8) J <.Pr(6| 0< deg f ^ (x) <deg f^^) 



d 
Proof , The common roots of f, (x) and (x+6) -1 are those 

°'i ^^i^**!^ " ^^ ^°^ which (a^+fi) -1 » 0. By Theorem 4, 

with probability 1/2, a, +6 has this property while a^'*'* 
does not, or vice-versa. This entails (8) . Actually the 

]r 

probability is nearly 1-1/2 , vrtiere deg fj^-k, but we cannot 
prove this. 

Root-finding algorithm . Given f (x) of degree m, 
compute f , (x) . Choose 6 z E randomly and compute f ^ (x) . 
If 0<deg f. < deg f^^ then let f j (x) = f 5 (x) or f 2 (x) = 
fj^/f ., according as to whether deg f^ <_ 1/2 deg f^ or not. 
If f . = 1 or f . = f, choose another 5 and repeat the previous 
step. By Corollary 5, the expected number of choices of 
6 e E until we find f 2 (x) is less than 2 . 
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Since the degree is at least halved in each step, 
after at most log m steps we find a linear factor x-a. 
of f (x) , i.e. a root. 

The number of (field -E) arithmetical operations re- 
quired for finding fj^(x) and f 2 (x) is 0{n*m L(m)log p), where 
E = GF(p"). Since deg f^t. j "»/ it follows that the number 
of operations for finding f3(x) is at most half the number 
of operations for finding ±2', and similarly for f^ etc. 
Thus the total number of E-operations used for finding a 
root of f(x) is still just 0(n«mL(m)log p) . 

In terms of operations in Z , each E-operation re- 
quires 0(nL(n)) operations with residues modulo p. Thus 
the total (expected) niimber of Z -operations for root- 
finding is 



(9) 0(n^-mL(m)L(n)log p) 



3. FACTORIZATION OF POLYNOMIALS 



Let f (x) e Z [x] be a polynomial of degree n which we 
want to factor into its irreducible factors . We may assume 
that f'(x) (the derivative) is not zero. For otherwise 
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_k 
f(x) - (g(x))P where g'(x) jt and this g is readily 

found. For example, x P+a x^ + b ■ (x +a x + b)^. By 

calculating (f (x) , fix)) « h(x), and f/h,we have reduced 

the problem to factoring a polynomial with no repeated 

factors . Calculate 



m 
gj^(x) ■ (f(x), x^ -x) , l<m<n. 

Since GFCp"'*) consists exactly of all the elements of 
degrees i, i|m, over Z , we have that g^^Cx) is the product 
of all irreducible factors h(x)|f(x) of degrees i|m. 

Choose the g^ ^ 1 of lowest index m. If deg (g_) *■ I, 
then 

gjij(x) " hj^ (x) . . .hj^ (x) , k»m - A , 

and each hj (x) is irreducible of degree m. All roots of 

g„(x) are in GFCp""). Find a root o of g_(x) = 0. This 

m "^ ^m 

root is a root of a unique h . (x) . 

To find this h. (x) form the powers 



(10) 1, a,..., a". 



These elements of GF(p™) are m-component vectors with 
coordinates in Z . Solve the system of linear equations 
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(11) bg + hj^OL+.,, h^^^o^''^ + o™ = 0, 



where the h^, 0<^i<ra-l, are the unknowns and the coordinates 
of the a are the coefficients. Now,h. (x) = 

x^'+b^ ,x™-^+...+b.. 
m— X 

Another way for computing h^(x) was suggested by m, 
Ben-Or. Note that h^(x) is irreducible of degree m. Since 
<j)(5) = gP is an automorphism of GP(p"') over the field Z , 
the conjugates of a are 



m-1 






The polynomial h^(x) is now obtained by the calculation 
in GF(p™) of 



(13) h^(x) " (x-Oq) (x-oj^) . .. (x-Ojjj_2^) . 

Using either one of the above methods, one irreducible 
factor of g^(x) (and of (x) ) is found. Next we find a root 
6 of g^{,x)/h^{x) and smother factor h . (x) of g«(x) , and so on. 
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Proceeding to factor the other gj^(x) , we choose 
g^Cx) ^ 1 with the lowest index m<r. If mfr then gj.{x) is 
the product of irreducible factors of degree r. If m|r 

then ^ml^r'^**^ ^r'^^m ^^ ^® product of such factors. 

Factor g^(x) or g«/g_ into its irreducible factors of 
r ^r ^nv 

degree r by one of the above methods. 

In general, let m,<m2<« .•<in. <n be the indices for which 
g ^1. After i-1 steps we found D, (x) , . .. ,D._, (x) , where 

D . (x) is the product of all irreducible factors of degree 
m. of f(x)/ and each D . (x) is factored. (Note that 
Dj (x) = 1 is possible despite g f 1. For example, f(x) 
may have irreducible factors of degrees 2 and 3, but no 
irreducible factors of degree 6. In this case Dj (x) ^ 1, 
DgCx) ^ 1, Dg(x) = 1, and gg (x) » D2(x)D3(x).) Now, 

(14) D^(x) = g (x)/ n D.(x). 

i m . f m . ^ 

m.<m. 

If D^ (x) I 1 and m^<deg D^ (x) , then factor it by the above 
method. If m^^ = deg D^(x) then D^(x) is already irreducible 
of degree m^^, and f (x) has exactly one irreducible factor 
of this degree. 
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4. COUNTING OPERATIONS 

Let us now count the number of Z -operations re- 
quired to factor a polynomial f (x) e Z [x] of degree n. 
The cost of getting rid of multiple factors of f (x) and 
of discovering the factors D^(x) defined in Section 3 
is majorized by the cost of factoring the D^ (x) , so that 
we confine ourselves to estimating the latter cost. 

We have f(x) = D, (x) . . .D. (x) , where deg D. » d.. 

Each Dj-(x) » hj^j^(x) •• .i,«hj|^j^ (x) , idtere deg h. . ■ m^, 

and h. . is irreducible. The algorithm of Section 3 seeks 
kj^ roots B,,...,3. of D. (x) = 0, one for each factor 

h. .(x), so that h. .(0.) = 0. Using the operation count 

(9) for root -finding, where n =s m. (because 

m. 
B. e GF(p ^) , liJik^) , and deg. D^^ - dj^, we get 

2 
0(m.d. L(dj^)L{m. ) log p) for finding one root, say pj^. 

We then find h^(x) by (11) or (13) . Next we find a root of 
D^(x)/h. , (x) , so that we are sure that the root belongs to 

a h. . + ^ii» Overestimating by not using the fact that 
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deg (D^AjLi) = '^i"™! etc., we get (k^m^d^ L(d^)L(m^) log p) 
for total nvunber of Z -operations to find the relevemt roots 
of DjCx), Since k^nij »_dj and m4<d. we get 



(15) 0(dj L<<^i>^ log P) 



as a bound on these operations for D. (x) » Since n = Edj^ 
we obtain by svunmation from (15) , in the manner of deriving 
Lemma 3, 



(16) 0(n^ L(n)2 log p) 



as a bound on cost of finding all the necessary roots of 
all the D^ (x) . 

The first method for finding the h. . (x) ,once a root 

2 

for each h. .(x) is given, employs 0(m.L(m^)) Z -operations 

to calculate the sequence (10) of powers of the given root. 
The solution in Z of the system (11) of m linear equations 
in m unknowns uses 0(m.) operations which majorizes the 

previous term. Summing over all the h . . (x) and over- 

3 
estimating we get (n ) Z -operations for finding all the 



h^.(x), l<i<t, l^<JCj|^. 
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We now estimate the operations used In Ben-Or's 
method for cannputing the h^^. (x) from the roots. Using the 

notation of (12) and (13) , so that the root is a and 

deg (hj^(x)) • m:, we use Oim^ log p) GF(p ) -multiplications 

to perform the m^ raisings to exponent p. Counting Z - 
operations, we get 

(17) 0(mj L(m^) log p) 



operations for computing the sequence (12) . 

The fonoation of the product (19) is a computation of 
the polynonial h(x) from its given roots Oq^Oi r • • wOj..! • 

Using the result of [l,p.299 ] , 2uid taking into account that 
in a finite field we require (m L(m)) (instead of (m log m) 
operations to multiply two polynomials of degree m, we get 
that 

(18) 0((m^L(m^))2 log m^^) 

operations of Z are used to form each h . ^ . Since D^^ (x) 
has kj factor h. . (x) , ^^^*r *J*<i ^©9 D^^ " ^i^^r we get 
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from (17) , (1.8) the upper estimate 



(19) 0((nL(n))^(log n + log p) ) 



for the Z -operations used in Ben -Or 's method to find all 
the irreducible factors h^ . (x) , l<i<t, l<.j<k^/ of f(x), 
once a root of each factor was computed. 

5. SUMMARY OF RESULTS AND EXTENSIONS 



The root-finding method of Section 2 is not applicable 
to polynomials f(x) GP(2") [xl . Hoi#ever, a small modifi- 
cation does work. Instead of x^~ -1 we use the polynomial 



2 2""^ 
Tr(x) « X + X +...+X 



For o e GF(2") - E we have T(o) » T(a) so that every a is a 
root of T(x) ■ or of T(x) « 1. Also T(o+B) • T(o) + T($). 

THEOREM 6. If a. J^OLj, '^it^o ^ ^' ^^^^ 

2"'^ - c({6| T(6aj^) + T(«02>}). 
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Proof. TlSdj) + T(6o2) iff 1(6(0^^+02)) + i.e. - 1. 

Now Oj^+Oj + so that » 6(0^^+02) runs with 6 through all 
e e E. In particular, for appropriate values of 6, all the 
2 roots of T(x) - 1 are obtained. This proves the theorem. 

Based on Theorem 6, we have a probabilistic root- 
finding algorithm for polynomials f e ECx] which is 
completely analogous than the algorithm in Section 2 . 

The factorization algorithms for polyn<»Bials 
f (x) e Zp{xl given in Section 3 imnediately generalizes to 
polynomials with coefficients in a general finite field 
E « 6F(q). 79ie operations-count are the same, with E- 
operations replacing Z -operations. 

fis summarize our results as follows. 

1. Finding irreducible polynoBdals. 

The expected number of steps for finding an ir- 
reducible polynomial g (x) e Z [x] , of degree n is 
0(n log n L(n) log p) . Any such polynomial enables us to 
c<xi^ute in GF(p'^) . 

2. Root-finding . 

The expected number of Z -operations used to find a 

root in E ■ GF(p") of a polynomial f(x) e E[xl of degree 

2 

m is 0(n m L(m) L(n) log p) . 
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If the arithmetic of GP(p") is directly wired into 
circuitry so that an E-arithnetical operation is counted 
as one operation, then the number of operations for 
root-finding is 0(n.m L(m) log p) . 

3. Factorization into irreducible factors 

The total number of Z -operations for factoring a 
polynomial f e Z (x] of degree n is 

O(n^log n L(n) log p) + 0(n^L(n)^ log p) + O(n^) 

Here are included the computations of the necessary ir- 
reducible polynomials g^^Cx) needed for the arithmetics of 
the relevant fields GFCp""). The last term represents the 
operations used to solve linear equations under the first 
method. 

If we assume that the arithmetics of all fields GFtp"*) , 
m<n, are performed by wired circuitry then it is preferable 
to use the second method for computing the factors from the 
roots, based on (12) and (13). From (16) and (19) it fol- 
lows, since each GF(p''''^) operation is counted as one ope- 
ration, that the number of operations used for factoring a 
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polynomial of degree n into irreducible factors is 



2 

0(n L(n) log p) + 0(nL(n)(log n + log p) ) . 



The first term majorizes the second term, but we display 
the latter as well since it reflects the structure of the 
algorithm. 
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